Systems and methods for detecting device location and usage

ABSTRACT

Systems and methods for detecting misuse of devices comprising: receiving, from a device, a message comprising a first hash of device data that is indicative of a current device location and usage; generating a second hash of stored data, the stored data being based on an expected location and usage associated with the device; comparing the first and second hashes; and when the first and second hashes do not match, generating an alert.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/198,221 filed on Nov. 21, 2018, entitled “SYSTEMS AND METHODS FORDETECTING DEVICE LOCATION AND USAGE,” the entirety of which is herebyincorporated by reference.

BACKGROUND

The present disclosure relates generally to systems and methods fordetecting misuse of a device, and, more particularly, to detectingmisuse based on a location and/or usage of the device.

Manufacturers enter into agreements with entities such as serviceproviders and resellers to distribute and sell goods and services. Theseagreements typically specify pricing based on geographical region orlocation and may also include additional limitations on, for example,device usage. The grey market refers to the distribution and sale ofnon-counterfeit goods and services outside an intended or authorizeddistribution channel. In general, an entity may purchase a product in afirst market where it is available at a lower price and then resell theproduct in a second market at a price that is higher than the originalpurchase price but lower than the market price in the second market. Acustomer who purchases a grey market product is typically unaware thatthere is a problem. These practices, along with improper usage ofdevices, reduce revenue for manufacturers and authorized partners andmay also cause damage to the image and reputation of a brand or company.Attempts to combat these activities include, for example, monitoringsecondary markets and imports for evidence of grey market goods,refusing to honor warranties of suspected grey market products,conducting audits of partners, and conducting random test purchases.

BRIEF SUMMARY

One aspect of the present disclosure relates to a system comprising amemory storing executable instructions; and a processor in communicationwith the memory, in which the processor when executing the executableinstructions: receives, from a device, a message comprising a first hashof device data that is indicative of at least one of a current devicelocation or a current device usage; generates a second hash of storeddata, the stored data being based on at least one of an expectedlocation or an expected usage associated with the device; compares thefirst and second hashes; and when the first and second hashes do notmatch, generates an alert.

Another aspect of the present disclosure relates to a method comprising:receiving, by a processor, from a device, a message comprising a firsthash of device data that is indicative of at least one of a currentdevice location or a current device usage; generating, by the processor,a second hash of stored data, the stored data being based on at leastone of an expected location or an expected usage associated with thedevice; comparing, by the processor, the first and second hashes; andwhen the first and second hashes do not match, generating, by theprocessor, an alert.

A further aspect of the present disclosure relates to acomputer-readable medium comprising instructions that when executed,cause a processor of a device to: in response to detecting a boot-up ofthe device, automatically extract first device data indicative of atleast one of a current device location or a current device usage;generate a nonce; create hashed first device data comprising a hash ofthe first device data and the nonce; and automatically transmit amessage comprising the nonce and the hashed first device data to anexternal system via a public network.

BRIEF DESCRIPTION OF THE DRAWINGS

So the manner in which the above recited features of the presentdisclosure may be understood in detail, a more particular description ofembodiments of the present disclosure, briefly summarized above, may behad by reference to embodiments, which are illustrated in the appendeddrawings. It is to be noted, however, the appended drawings illustrateonly typical embodiments encompassed within the scope of the presentdisclosure, and, therefore, are not to be considered limiting, for thepresent disclosure may admit to other equally effective embodiments,wherein:

FIG. 1 depicts a system in accordance with the present disclosure;

FIG. 2A depicts a first interaction in accordance with the presentdisclosure;

FIG. 2B depicts a second interaction in accordance with the presentdisclosure;

FIG. 3 depicts a third interaction in accordance with the presentdisclosure;

FIGS. 4A-4E are flowcharts of exemplary methods for detecting misuse ofa device; and

FIGS. 5A and 5B are flowcharts of exemplary methods for automaticallygenerating one or more messages.

DETAILED DESCRIPTION

The term “a” or “an” entity refers to one or more of that entity. Assuch, the terms “a” (or “an”), “one or more,” and “at least one” may beused interchangeably herein. It is also to be noted that the terms“comprising,” “including,” and “having” may be used interchangeably.

The term “automatic” and variations thereof, as used herein, refers toany process or operation done without material human input when theprocess or operation is performed. However, a process or operation maybe automatic, even though performance of the process or operation usesmaterial or immaterial human input, if the input is received beforeperformance of the process or operation. Human input is deemed to bematerial if such input influences how the process or operation will beperformed. Human input that consents to the performance of the processor operation is not deemed to be “material.”

The terms “computer-readable medium” and “computer-readable storagemedium” as used herein refer to any tangible storage and/or transmissionmedium that participates in storing and/or providing instructions to aprocessor for execution. Such a medium may take many forms, including,but not limited to, non-volatile media (e.g., non-volatile random accessmemory (NVRAM), magnetic disks, and/or optical disks), volatile media(e.g., dynamic memory, such as main memory), and transmission media andmay comprise an electronic, magnetic, optical, electromagnetic,infrared, or semiconductor system, apparatus, or device, or anycombination thereof.

The terms “determine,” “calculate,” “compute,” and variations thereof,as used herein, are used interchangeably and may include any type ofmethodology, process, mathematical operation or technique.

The term “certificate,” as used herein, refers to cryptographic digitaldata files utilized to certify, at least in part, an electronic device.The term, “signature,” as used herein, is a data scheme or the result ofother algorithmic operation such as to generate a hash, at least inpart, from a private key and may be validated using a certificateassociated with the private key. At no point does the term “signature”or “certificate,” as used herein, refer to the act of a human signing orthe presence of a human signature on a physical document.

As shown in FIG. 1 , a system 100 for configuring and authenticatingdevices comprises a Device Enrollment Service (DES) 102. The structureand operation of system 100 is explained in greater detail in U.S.Patent Application Publication No. 2018/0288035 (assigned to applicant),which is hereby incorporated by reference in its entirety. DES 102 maycomprise a server 104 in communication with one or more processors (notshown) coupled to a database 106. DES 102 may be attached to a privatenetwork 108 via a public network 110 (e.g., the Internet), as shown inFIG. 1 , or directly (not shown) to the private network 108. In someexamples, DES 102 may be hosted or controlled by a device manufacturer114, and in other examples, DES 102 may be a third party service that isseparate from the device manufacturer 114. It is understood that allreferences to DES 102 made herein are intended to include bothconfigurations of DES 102.

A plurality of endpoints or devices 112A-112C (referred to hereincollectively as devices 112) may be attached to the private network 108,as shown in FIG. 1 , or directly to the public network 110 (not shown).The devices 112 may comprise a variety of electronic devices andcomponents that are capable of being connected to a network and maycommunicate with other devices 112 attached to the private and/or publicnetworks 108, 110. For example, one or more of the devices 112 maycomprise a digital telephone that uses Session Initiation Protocol (SIP)and/or other packet-based protocol; a softphone comprising a digitaltelephonic component embodied on a computing device, such as a personalcomputer; a smartphone; and/or another device comprising packet-basedcommunication components. With reference to representative device 112Ain FIG. 2A, each device 112 comprises a processor 112A-1 incommunication with a memory 112A-2 comprising executable instructionsstored thereon.

With reference to FIG. 1 , DES 102 may comprise multiple interfaces,including an administrator interface that enables an enterprise tomanage the services provided by DES 102 and to load the devicecertificates and associated MAC addresses onto the respective devices112; a manufacturer interface that enables the manufacturer 114 of thedevices 112 to load the certificates to DES 102; a service providerinterface that enables service providers 118 to manage a serviceprovider profile on DES 102 and associate the devices 112 to the serviceprovider profile; a reseller interface that enables resellers 120 toassociate the devices 112 with the service provider profile; and adevice interface, which comprises a programmatic application programinterface (API) to enable the devices 112 to be authenticated andredirected to connect to a specific service provider's interface.

During manufacture, the device manufacturer 114 may issue an instructionto each device 112 to generate a certificate or a certificate may beloaded into the devices 112. In response to the instruction, each device112 generates a self-signed certificate, which may include one or morepieces of information specific to the device 112 (e.g., a serial number,a model number, a date of manufacture, a MAC address, a private key,etc.). Generating the self-signed certificate may comprise creating ahash of the certificate, such as using SHA256 or other hashingalgorithm. The hash of the certificate is then provided to DES 102,along with one or more unique identifiers for each device 112, such asthe MAC address, serial number, etc. DES 102 stores this information,e.g., in the database 106, in a record associated with each device 112for later use in authenticating the devices 112. The record may alsoinclude a hardware configuration of each device 112.

A customer 116 may request a device, e.g., device 112A. The serviceprovider 118 may directly supply the device 112A or may optionallyutilize a reseller 120, in which case the service provider 118 mayforward the customer's request to the reseller 120. The service provider118 and/or reseller 120 may send one or more messages to DES 102. Themessage(s) may comprise a unique identifier for the device 112A (e.g., aMAC address, serial number, etc.) and/or other identifier (such as anenrollment code) that allows DES 102 to associate the device 112A with arespective one of the service provider 118 or the reseller 120. Themessage(s) may also comprise instructions to associate the device 112Awith the customer 116 or a customer site. The device 112A is thendelivered or otherwise made available to the customer 116. In otherexamples, the customer 116 may request the device 112A directly from themanufacturer 114, in which case the manufacturer 114 associated thedevice 112A with the customer 116 and ships or otherwise makes thedevice 112A available to the customer.

When the device 112A is booted-up for the first time and attempts toconnect to a network of the customer 116, the device 112A is not trustedand may have limited functionality, e.g., the device 112A may have thecapacity only to communicate with those components needed to authorizeand/or authenticate the device 112A. Following boot-up, the device 112A(via the executable instructions stored in the memory 112A-2 of thedevice 112A) initiates a secure communication with DES 102. For example,a mutually authenticated communications channel may be established whenthe device 112A transmits a hash of its self-signed certificate to DES102. The device 112A may also transmit a request to DES 102 to receiveconfiguration information, such as an address of a provisioning server(not shown). DES 102 verifies that the hash of the certificate matchesthe stored hash associated with the device 112A, i.e., the device 112Ais known to DES 102. DES 102 then transmits a DES-signed certificate andthe address of the provisioning server, if requested. Using theDES-signed certificate, the device 112A obtains the necessaryconfiguration information from the provisioning server. The device 112Amay also present the DES-signed certificate to a service provider (notshown) associated with the customer's network, which validates thecertificate and adds the device 112A to a list of trusted devices thatare allowed to utilize the customer's network.

Manufacturers 114 may enter into an agreement with one or more serviceproviders 118 and/or resellers 120 (hereinafter collectively referred toas partners 122) to sell devices 112. These agreements may place avariety of limitations on the location and/or usage of the devices 112.For example, the agreement may specify that the devices 112 are to besold at different prices in one or more different geographical locationsand/or regions. For example, the devices 112 may be sold at a firstprice in a lower price region and at a second, higher price in a higherprice region. The manufacturer 114 may agree to provide specialdiscounts and/or promotions that allow the partner 122 to purchase adevice 112A from the manufacturer 114 at a lower price, and in exchange,the partner 122 agrees to sell the device 112A only in authorizedregions specified in the agreement. However, the partner 122 may thenship the device 112A to the higher price region, where the device 112Ais sold at a price that is lower than the manufacturer's price for thatregion but higher than the price at which the partner 122 agreed to sellthe device 112A in the lower price region. When the device 112A is anauthentic product that is sold in an unauthorized region, it is a greymarket device 112A′. The agreement may include additional restrictionson the device location and/or usage that may affect billing. Forexample, the partner 122 may purchase a specified number of licenses fordevices 112 at a particular location or site, but the partner 122 maysell more devices 112 to the customer 116 than allowed by the agreement.The devices 112 may also be used in a device-as-a-service (DaaS)arrangement, in which the customer 116 is provided with a predeterminednumber of devices 112 and/or a predetermined menu of device servicesand/or features that may vary over a specified time period. Certainusage of the devices, services, and/or features outside the specifiedtime period may be a violation of the agreement.

These activities can be difficult to detect in a timely and efficientmanner. Currently, the information transmitted between DES 102 and thedevice 112A in the system 100 of FIG. 1 contains only the data necessaryfor DES 102 to authenticate and authorize the device 112A and isinsufficient to permit the manufacturer 114 or other interested entityto detect grey market activities or other misuse of the device 112A. Inaddition, the device 112A would generally not contact DES 102 againfollowing the initial configuration and authentication, unless thedevice 112A is released and/or otherwise needs to be associated with adifferent entity or site. Current methods for detecting grey marketactivities and other misuse often require time- and cost-intensivemonitoring by the manufacturer to identify the potential misuse and thepartners suspected of engaging in the misuse. In addition, some of thesemethods rely on the user or a third party to collect and transmit thedata and may fail to adequately safeguard the customer's data andprivacy.

Systems and methods in accordance with the present disclosure leverageexisting DES architecture, e.g., the system 100 shown in FIG. 1 , toautomatically detect and flag potential grey market activities and otheranomalies based on a device's location and/or usage. The device may beprogrammed to contact DES on initial boot-up for purposes ofauthenticating the device, as described above, and the manufacturer mayfurther program the device to continue automatically contacting DES atcertain times following authentication, such as upon detection of apredetermined event, e.g., upon every boot-up. This programming may forma portion of a firmware of the device. The device may transmit a messagewith data that is indicative of the device's current location and/orusage, which may be compared by DES to stored data. If there is adiscrepancy with the device's current location and/or usage, the devicemay have been deployed in a manner that violates the agreement with themanufacturer, used and an alert may be generated. Because some or all ofthe device data is hashed before being transmitted, the customer'sinformation is protected, as the device data generally cannot bereconstructed from the hash. In addition, the process of transmittingthe message(s) to DES is automated, such that there is no need to relyon the user to voluntarily send the data, nor is there any need to relyon a third party to collect and transmit the data. Furthermore, thedevice is programmed to automatically contact DES, which increases thedifficulty for the user or other party to tamper with or alter thedevice data or prevent the device from sending the data.

With reference to FIGS. 1 and 2A, a device, e.g., device 112A, may besold to a partner 122 under an agreement that, for example, authorizesthe partner 122 to sell the device 112A at a certain price in anauthorized deployment region, which is represented by reference numeral200. Based on the authorized deployment region 200, DES 102 generatesstored data 204 that includes expected location and usage data 206 andassociates the stored data 204 with the device 112A, e.g., based on theMAC address of the device 112A or other unique device identifier. Theexpected location and usage data 206 may comprise, for example, anexpected SIP domain with which the device 112A is to be associated; aDomain Name System (DNS) domain; one or more expected time zonesassociated with the authorized deployment region 200; one or moreconfigured languages (e.g., the language that the customer selects forthe device 112A); emergency numbers (e.g., how the device is configuredto dial emergency numbers); and the device's dial plan.

The expected location and usage data 206 may also comprise informationrelated to an expected posture of the device 112A, e.g., how the device112A is expected to be used. For example, the device 112A may include avariety of features and services, such as international calling, callforwarding, video calling, etc. The agreement under which the device112A was sold may specify that only a subset of those features and/orservices are to be activated or turned on, and the expected location andusage data 206 may comprise a list of those features and/or servicesthat are authorized for the device 112A. The expected location and usagedata 206 may further comprise information about one or more localservers and/or other systems (not shown) to which the device 112A isconnected, such as a public Internet Protocol (IP) address of a DNSserver and/or a public IP address of a Network Time Protocol (NTP)server. The stored data 204 for the device 112A may be stored in thedatabase 106 along with the device certificate, serial number, etc. aspart of the record associated with the device 112A. In the particularexample shown in FIG. 2A, the expected location and usage data 206 ofthe device 112A in the authorized deployment region 200 comprisescompany1.com, time zone 1, and language A.

When the partner 122 provides the device 112A to the customer 116, thedevice 112A initially communicates with DES 102 as described above toauthenticate and configure the device 112A for use on the customer'snetwork. With reference to FIG. 2A, following authentication andconfiguration as described above, the device 112A then automaticallytransmits one or more messages 208-1 to 208-n (collectively referred toherein as message(s) 208) to an external system, e.g., DES 102, inaccordance with the present disclosure. Each message 208 comprisesdevice data 210 that is indicative of a current device location and/orusage, some or all of which may be hashed as described below. Each timethe device 112A prepares to generate a message 208, the device 112A mayalso generate a nonce 216 that is used one time. The nonce 216 maycomprise, for example, a random number. Using SHA256 or other suitablehashing algorithm, the device 112A then creates hashed device data thatcomprises a hash of the device data 210 and the nonce 216. The message208 sent to DES 102 comprises the nonce 216 and the hashed device data.Establishing the secure communications channel 220 and hashing thedevice data 210 with the nonce 216 before transmission of the message208 helps to protect the customer's identity and privacy.

The device data 210 that is hashed comprises data that iscustomer-specific, i.e., data that could potentially be used to identifya customer and/or could contain private or confidential customerinformation. Customer-specific data may comprise, for example, a currentSIP domain of the device 112A, a current time zone, data related to acurrent posture of the device 112A (e.g., which features and/or serviceshave been activated on the device 112A), a configured language,emergency numbers, and/or the device's dial plan, as described above.Alternatively, or in addition, the message 208 may comprise other datathat is generally not customer-specific and is not hashed, such as ahardware configuration of the device 112, a DNS domain name, a public IPaddress of a DNS server and/or a public IP address of a NTP server. Thedevice 112A may extract the device data 210 from the device 112A, e.g.,from the memory 112A-2 of the device 112A, and/or from the server (notshown) or other external entity to which the device 112A is connected.Some data, such as the public server address, may be provided, forexample, in a header (not shown) of the message 208. The message 208 mayfurther comprise a timestamp that indicates a date and time when themessage 208 was generated.

The device 112A′ depicted in FIG. 2B establishes a secure communicationschannel 222 to DES 102 and generates and transmits one or more messages212-1 to 212-n (collectively referred to herein as message(s) 212)comprising device data 214 in a manner substantially similar to thatdescribed above in detail with respect to the device 112A and message208. The device data 214 contained in each message 212 may similarly behashed with a nonce 218 generated by the device 112A′.

The device 112A, 112A′ may automatically generate and transmit a message208, 212 to DES 102 each time the device 112A, 112A′ detects anoccurrence of a predetermined event. For example, the predeterminedevent may comprise boot-up of the device 112A, 112A′. Upon detecting aboot-up, the processor 112A-1, 112A-1′ of the device 112A, 112A′ mayexecute the executable instructions stored in the memory 112A-2, 112A-2′to establish a secure communications channel 220, 222 with DES 102 bysending the device certificate to DES 102. Following establishment ofthe secure communications channel 220, 222, the device 112A, 112A′ maygenerate and transmit the message 208-1, 212-1 to DES 102.

In other examples, the predetermined event that triggers the generationand transmission of a message 208, 212 may comprise elapse of apredetermined time, e.g., a week, a month, etc. For example, upondetecting that the device 112A, 112A′ has been operating for thepredetermined time without powering down, the executable instructionsmay cause the device 112A, 112A′ to generate and transmit an additionalmessage, e.g., message 208-2, 212-2, to DES 102. The device 112A, 112A′may store a log in the memory 112A-2, 112A-2′ comprising the timestampof previous message(s), e.g., message 208-1, 212-1, and based on elapseof the predetermined time since transmission of the previous message208-1, 212-1, the device 112A, 112A′ may automatically generate andtransmit the additional message 208-2, 212-2. The additional message(s)208-2, 212-2 may be important for detecting misuse of devices 112 thatare powered down infrequently following the initial boot-up. In furtherexamples, the predetermined event that triggers the generation andtransmission of a message 208, 212 may comprise the device 112A, 112A′detecting a change in an IP address of a server to which the device112A, 112A′ is connected.

In some instances, a content of the message 208-1, 212-1 sent followingboot-up may be the same as a content of the message(s) 208-2, 212-2 sentfollowing other predetermined events. In other instances, the contentmay be different. For example, the message 208-1, 212-1 sent followingboot-up may comprise data that is customer-specific and/or couldpotentially be used to identify a customer (e.g., the SIP domain), andthe other message(s) 208-2, 212-2 may comprise data that is notcustomer-specific (e.g., the public address of a server to which thedevice 112A, 112A′ is connected). The device 112A, 112A′ may beconfigured to automatically alter the content of the messages 208, 212,or the content may be modified based on instructions received from DES102, as explained herein.

With reference to FIGS. 2A and 2B, following establishment of the securecommunications channel 220, 222 by the device 112A, 112A′, DES 102receives a message 208, 212 from the device 112A, 112A′ that comprises ahash of the device data 210, 214. DES 102 then generates a hash of thestored data 204 with the same hashing algorithm used by the device 112A,112A′ to generate the hash of the device data 210, 214. For example, DES102 may use a device identifier (e.g., a MAC address or serial number),which may be extracted from a device certificate provided by the device112A, 112A′ during establishment of the secure communications channel220, 222, to locate and retrieve the stored data 204 associated with thedevice 112A, 112A′, e.g., from the database 106. In instances in whichthe message 208, 212 includes the nonce 216, 218, generating the hash ofthe stored data 204 may comprise extracting the nonce 216, 218 from therespective message 208, 212 and hashing the stored data 204 and thenonce 216, 218. DES 102 may follow the same procedure regardless ofwhether the message 208, 212 is received from the device 112A, 112A′following boot-up, e.g., message 208-1, 212-1, or following a subsequenttriggering event, e.g., message 208-2, 212-2.

In some cases, a device (not shown) that is not known to DES 102 mayattempt to contact DES 102 and establish a secure communicationschannel. For example, the device may comprise a serial number and/or MACaddress that is not stored in the database 106, in which case the hashof the certificate will not match any of the records associated withdevices 112 known to DES 102. This device may be counterfeit, altered,or otherwise compromised and may be denied access to DES 102. DES 102may extract and store some data from the device, such as the serialnumber and/or MAC address, in order to identify the device as havingattempted to contact DES 102 and as being potentially malicious. In someexamples, DES 102 may move the device to a quarantined environment sothat additional interrogation and/or tracing of the device may beperformed.

The hash of the stored data 204 is then compared with the hash of thedevice data 210, 214 to determine whether the device 112A, 112A′ is apotential grey market device or is otherwise being used improperly. Ininstances in which the message 208, 212 further comprisesposture-related data, a domain name, and/or a public address of theserver to which the device 112A, 112A′ is connected, DES 102 may extractthis additional information from the message 208, 212 for comparisonwith the corresponding expected location and usage data 206.

With reference to FIG. 2A, the device 112A is deployed in region 200.Region 200 is an authorized deployment region for the device 112A, asspecified in the agreement between the manufacturer 114 and the partner122 (see FIG. 1 ). Thus, the device data 210 matches the expectedlocation and usage data 206 stored by DES 102, such that the hash of thedevice data 210 contained in the message 208 matches the hash of thestored data 204 generated by DES 102. In addition, the domain nameand/or public address of the server to which the device 112A isconnected should match the expected location and usage data 206generated by DES 102 because the device 112A is deployed in theauthorized deployment region 200. DES 102 may log the message 208, alongwith the timestamp and an indication of a match, in the recordassociated with the device 112A.

However, the device 112A′ in FIG. 2B is deployed in region 202, which isnot an authorized deployment region specified in the agreement betweenthe manufacturer 114 and the partner 122. Thus, one or more of the itemsin the device data 214, e.g., the SIP domain, time zone, configuredlanguage, etc., may be different from the expected location and usagedata 206, such that the hash of the device data 214 contained in themessage 212 does not match the hash of the stored data 204 generated byDES 102, e.g., there is a mismatch. There may also be a mismatch betweenthe domain name and/or public address of the server provided in themessage 212, as compared to the corresponding expected location andusage data 206 generated by DES 102 based on deployment in authorizeddeployment region 200. DES 102 may log the message 212, along with thetimestamp and an indication of a mismatch, in the record associated withthe device 112A′.

Alternatively or in addition, the data related to the posture of eitherdevice 112A, 112A′ may indicate that the device 112A, 112A′ is not beingused in an expected or authorized manner, e.g., one or more featuresand/or services of the device 112A, 112A′ may have been altered, i.e.,enabled, disabled, added, and/or removed, in violation of the agreementunder which the device 112A, 112A′ was sold. For example, the device112A may be deployed in the authorized deployment region 200, but theinternational calling feature may have been activated in violation ofthe agreement under which the device 112A was sold to the partner 122.In other examples, the device 112A, 112A′ may comprise a hardwareconfiguration that is not authorized for sale in the respective region200, 202. For instance, the agreement between the manufacturer 114 andpartner 122 may specify that a particular hardware configuration may besold only in certain market(s)/region(s) and/or only to certainpartner(s) 122 and/or customer(s) 116.

When the hash of the device data 210, 214 does not match the hash of thestored data 204 and/or the posture-related data, domain name, publicaddress of the server, and/or any other data do not match the expectedlocation and usage data 206, DES 102 may generate an alert, which maycomprise a message that is sent to a system administrator for DES 102.

Generating the alert may optionally further comprise application of oneor more rules. A rules database (not shown; may be separate from, orpart of, the database 106) may comprise one or more rules that determinewhen an alert is generated. In some examples, a filter rule may requirethat an alert be generated only if a predetermined number of mismatchesoccur within a specified time period, e.g., based on the timestamps of acurrent message and one or more messages previously received by DES 102.In some instances, a device 112A may be properly sold in authorizeddeployment region 200, but the user may travel temporarily into(unauthorized) region 202, which may cause DES 102 to register amismatch. When the user returns to the authorized deployment region 200,the hash of the device data 210 should once again match the hash of thestored data 204 and/or domain name and/or public address of the servershould match the expected location and usage data 206. Based onapplication of the filter rule, DES 102 may not generate an alert if acurrent number of mismatches is less than the predetermined number ofmismatches for the specified time period. In instances in which DES 102is hosted or controlled by the device manufacturer 114, the applicationof the one or more rules may be performed by DES 102 or by anothersystem (not shown) that is hosted or controlled by the devicemanufacturer 114. In instances in which DES 102 is hosted or controlledby a separate, third party entity, the application of the one or morerules may be performed by DES 102 or by another system (not shown) thatis hosted or controlled by the third party entity.

In some examples, when there is a mismatch, DES 102 may use the MACaddress or other unique identifier of the device 112A′ to determine anentity, i.e., the partner 122 and/or customer 116, with which the device112A′ is associated. For example, the partner 122 and/or customer 116may each maintain a profile in DES 102 that contains a list of deviceidentifiers associated with the partner 122 and/or customer 116 and alist of authorized deployment regions for those devices 112. DES 102 maycompare the device identifier of the device 112A′ with the list ofdevice identifiers and authorized deployment regions in the partner'sand/or customer's profile. DES 102 may also use the data in the profileto identify instances in which the posture of the device 112A, 112A′ orany other data does not match the data contained in the profile. Forexample, the device 112A, 112A′ may comprise a hardware configurationthat is not authorized for sale to that particular partner 122 orcustomer 116. In this manner, DES 102 may identify partners 122 that areselling devices in violation of their agreement with the manufacturer114 and/or failing to take proper precautions when dealing with otherentities, e.g., resellers 120. DES 102 may also identify partners 122and/or customers 116 who are improperly using the devices.

In other examples, after the device 112A, 112A′ has initiated contactwith DES 102 and established the secure communications channel 220, 222,DES 102 may transmit one or more messages 224 to the device 112A, 112A′,as shown in FIGS. 2A and 2B. The message(s) 224 may comprise, forexample, instructions regarding the device data 210, 214 to send in asubsequent message 208, 212. For example, a current message 208-1, 212-1may comprise only customer-specific data (e.g., the SIP domain), and DES102 may instruct the device 112A, 112A′ to send different data, such asthe public address of a server to which the device 112A, 112A′ isconnected, the next time the device 112A, 112A′ sends a message 208-2,212-2.

DES 102 as described herein may also be used to locate devices 112 thathave been lost or stolen. For example, if the device 112A is reported asbeing lost or stolen, DES 102 may flag the record associated with thedevice 112A. The next time the device 112A contacts DES 102, an alertmay be generated, and the location of the device 112A may be provided tothe appropriate entity (i.e., the partner 122 and/or customer 116)and/or to the appropriate authorities to allow recovery of the device112A.

With reference to FIG. 3 , in further examples, two or more devices,e.g., devices 112A, 112B may be deployed in a region or site, which isrepresented by reference numeral 300, and DES 102 may use data sent bythe devices 112A, 112B to monitor site-wide parameters and conduct anaudit of the devices 112A, 112B present at the site 300 and their usage.Although only two devices 112A, 112B are shown in FIG. 3 , it isunderstood that the site 300 may include any number of devices. Thedatabase 106 associated with DES 102 may include a record with storeddata 304 that comprises expected data 306 for some or all of the devices112A, 112B deployed at the site 300, such as an expected number ofdevices 112A, 112B or “seats” for the site 300, an expectedconfiguration or posture for the devices 112A, 112B (e.g., the featuresand/or services to be activated), and the like. For instance, theagreement under which the devices 112A, 112B were supplied to the site300 may include licenses for 100 devices and 75 licenses for a certainfeature/service. In other instances, the agreement under which thedevices 112A, 112B were supplied to the site 300 may specify usage basedon time, e.g., 200 seats during one or more peak time periods such asthe holidays and 100 seats during all other non-peak time periods.

Each device 112A, 112B at the site 300 may establish a respective securecommunications channel 320, 322 with DES 102 and generate and transmit arespective message 308, 312 in the same manner as described above withrespect to the devices 112A, 112A′ in FIGS. 2A and 2B. Although only onemessage 308, 312 is shown, it is understood that each device 112A, 112Bmay transmit multiple messages. Each message 308, 312 may comprise adevice identifier, a current SIP domain, a public server address, and/orany device data described herein, some or all of which may be hashed, asdescribed above. DES 102 receives these messages 308, 312 and maygenerate a hash of the stored data 304 (when necessary), also asdescribed above. DES 102 may then extract one or more pieces of datafrom the messages 308, 312 and compare it to the stored data 304 todetect any anomalies at the site 300. For example, the stored data 304may indicate that 100 devices are expected at the site 300, but the datareceived from the devices 112A, 112B (e.g., the device identifiers) mayindicate that there are 105 devices present at the site 300, which is aviolation of the agreement for the site 300. The stored data 304 mayalso indicate that only 75 devices should have a particularservice/feature activated, but the data received from the devices 112A,112B may indicate that there are 85 devices in which the particularservice/feature is activated. In other examples, the stored data 304 mayindicate that only 100 seats should be in use at the site 300 at thetime the messages 308, 312 were received, but the data received from thedevices 112A, 112B may indicate that 200 seats are currently in use atthe site 300.

When there is a mismatch between the data from the messages 308, 312 andthe stored data 304 for the site 300, DES 102 may generate an alert,which may comprise a message that is sent to a system administrator forDES 102. An alert may also be sent to a billing department (not shown)so that appropriate action may be taken regarding the unauthorized useof additional devices/seats, services, and/or features at the site 300.

FIGS. 4A-4E, 5A, and 5B illustrate exemplary methods in accordance withthe present disclosure. The methods set out in FIGS. 4A-4E may beperformed all or in part by a processor of a system, e.g., by aprocessor of the server 104, that is in communication with a memorydevice, e.g., the database 106 or other computer-readable storagemedium, and executes instructions stored in the memory device. Withreference to FIG. 4A, a method 400 for detecting misuse of devicesbegins at Step 402 in which a message is received from a device, themessage comprising a first hash of device data that is indicative of acurrent device location and/or a current device usage. At Step 404, asecond hash of stored data is generated, with the stored data beingbased on an expected location and/or expected usage associated with thedevice. The first hash of device data is compared to the second hash ofstored data at Step 406. When the first and second hashes match, themethod may conclude. When the first and second hashes do not match, analert is generated at Step 408, after which the method 400 may conclude.

The stored data may be retrieved based on a unique identifier (e.g., aMAC address, serial number, etc.) extracted from a device certificateprovided by the device (e.g., during establishment of a securecommunications channel 220, 222). In some examples, the first hash ofdevice data may comprise a hash of the device data and a nonce that isgenerated by the device. The message may further comprise the nonce, andthe second hash of stored data is generated by hashing the stored dataand the nonce. The stored data may be based on an authorized deploymentregion for the device.

FIGS. 4B-4D illustrate additional, optional functions that may beperformed following receipt of the message in Step 402 of FIG. 4A. WhileSteps 410-414 of FIG. 4B, Steps 416-420 of FIG. 4C, and 422 of FIG. 4Dare depicted as occurring between Steps 404 and 406 of FIG. 4A, it isunderstood that these Steps may occur prior to, after, or simultaneouslywith Steps 404-408 in FIG. 4A.

In some examples as shown in FIG. 4B, the message may further comprise acurrent posture of the device, and the method may optionally comprisecomparing the current posture of the device to an expected posture ofthe device at Step 410. When the current and expected postures match,the method may resume in FIG. 4A. When the current and expected posturesdo not match, a second alert may be generated at Step 414, after whichthe method may resume in FIG. 4A.

In other examples as shown in FIG. 4C, the message may further comprisea public address of a local server to which the device is connected, andthe method may optionally comprise extracting the public address of thelocal server from the message in Step 416 in FIG. 4C. At Step 418, thepublic address of the local server is compared to an expected address inStep 418, in which the expected address of the local server is based onan authorized deployment region for the device. When the addressesmatch, the method may resume in FIG. 4A. When the addresses do notmatch, a second alert may be generated at Step 420, after which themethod may resume in FIG. 4A.

In further examples as shown in FIG. 4D, the method may furtheroptionally comprise determining in Step 422, based on a deviceidentifier extracted from the message device certificate provided by thedevice, an entity with which the device is associated.

Following receipt of the first message, the method may optionallyfurther comprise receiving from the device, a second message comprisinga third hash of device data that is indicative of the current devicelocation and/or device usage at Step 424 in FIG. 4E. At Step 426, afourth hash of stored data is generated, with the stored data beingbased on the expected location and/or expected usage associated with thedevice. At Step 428, the third and fourth hashes are compared. When thethird and fourth hashes match, the method may conclude. When the thirdand fourth hashes do not match, a second alert may be generated at Step430, after which the method may conclude. In some examples, the devicedata contained in the second message is different from the device datacontained in the first message.

The methods set out in FIGS. 5A and 5B may be performed all or in partby a processor of a device, e.g., by a processor 112A-1, 112A-1′ of thedevice 112A, 112A′, that is in communication with a memory device, e.g.,the memory 112A-2, 112A-2′, and executes instructions stored in thememory device. With reference to FIG. 5A, a method 500 for automaticallygenerating one or more messages begins at Step 502 in which, in responseto detecting a boot-up of the device, first device data indicative of acurrent device location and/or device usage is automatically extracted.At Step 504, a nonce is generated, and at Step 506, hashed first devicedata is created that comprises a hash of the first device data and thenonce. At Step 508, a message comprising the nonce and the hashed firstdevice data is automatically transmitted to an external system via apublic network, e.g., to DES 102 via the Internet 110, after which themethod 500 may conclude.

After generating the first message, the method may optionally furthercomprise, in response to determining that the device has been operatingfor a predetermined time without powering down, automatically extractingsecond device data indicative of the current device location and/ordevice usage at Step 510. At Step 512, a second nonce is generated, andat Step 514, second hashed device data is created that comprises asecond hash of the second device data with the second nonce. At Step516, a second message comprising the second nonce and the second hasheddevice data is automatically transmitted to the external system via thepublic network. In some examples, the second device data is differentfrom the first device data.

The flowchart(s) and block diagram(s) in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousaspects of the present disclosure. In this regard, each block in theflowchart(s) or block diagram(s) may represent a module, segment, orportion of code, which comprises one or more executable instructions forimplementing the specified logical function(s). In addition, while theflowcharts have been discussed and illustrated in relation to aparticular sequence of events, it should be appreciated that changes,additions, and omissions to this sequence may occur without materiallyaffecting the operation of the disclosure. For example, two blocks shownin succession may, in fact, be executed substantially concurrently, orthe blocks may sometimes be executed in the reverse order, dependingupon the functionality involved. It will also be noted that each blockof the block diagrams and/or flowchart illustration, and combinations ofblocks in the block diagrams and/or flowchart illustration, may beimplemented by special purpose hardware-based systems that perform thespecified functions or acts, or combinations of special purpose hardwareand computer instructions.

As will be appreciated by one skilled in the art, aspects of the presentdisclosure may be illustrated and described herein in any of a number ofpatentable classes or context including any new and useful process,machine, manufacture, or composition of matter, or any new and usefulimprovement thereof. Accordingly, aspects of the present disclosure maybe implemented entirely as hardware, entirely as software (includingfirmware, resident software, micro-code, etc.) or by combining softwareand hardware implementation that may all generally be referred to hereinas a “circuit,” “module,” “component,” or “system.” Furthermore, aspectsof the present disclosure may take the form of a computer programproduct embodied in one or more computer-readable media havingcomputer-readable program code embodied thereon.

Any combination of one or more computer-readable media may be utilized.The computer-readable media may be a computer-readable signal medium ora computer-readable storage medium. A computer-readable storage mediummay include, but is not limited to, an electronic, magnetic, optical,electromagnetic, or semiconductor system, apparatus, or device, or anysuitable combination thereof. More specific examples may include anelectrical connection having one or more wires; a floppy disk; aflexible disk; a hard disk; magnetic tape or any other magnetic medium;a magneto-optical medium; a random access memory (RAM); a read-onlymemory (ROM); an erasable programmable read-only memory (EPROM or Flashmemory); a solid state medium like a memory card, chip, or cartridge; aportable compact disc read-only memory (CD-ROM); an optical storagedevice; an optical fiber; or any suitable combination thereof. A digitalfile attachment to email or other self-contained information archive orset of archives may be considered a distribution medium equivalent to atangible storage medium. When the computer-readable media is configuredas a database, it is to be understood that the database may be any typeof database, such as relational, hierarchical, object-oriented, and/orthe like. In the context of this document, a computer-readable storagemedium may be any tangible storage medium or distribution medium andprior art-recognized equivalents and successor media that may contain orstore a program for use by or in connection with an instructionexecution system, apparatus, or device.

A computer-readable signal medium may include a propagated data signalwith computer-readable program code embodied therein, for example, inbaseband or as part of a carrier wave. Such a propagated signal may takeany of a variety of forms, including, but not limited to,electro-magnetic, optical, or any suitable combination thereof. Acomputer-readable signal medium may be any computer-readable medium thatis not a computer-readable storage medium and that may communicate,propagate, or transport a program for use by or in connection with aninstruction execution system, apparatus, or device. Program codeembodied on a computer-readable signal medium may be transmitted usingany appropriate medium, including but not limited to wireless, wireline,optical fiber cable, RF, etc., or any suitable combination of theforegoing.

Computer program code for carrying out operations for aspects of thepresent disclosure may be written in any combination of one or moreprogramming languages, including an object-oriented programming languagesuch as JAVA, SCALA, SMALLTALK, EIFFEL, JADE, EMERALD, C++, CII, VB.NET,PYTHON or the like, conventional procedural programming languages, suchas the “c” programming language, VISUAL BASIC, FORTRAN 2003, PERL, COBOL2002, PHP, ABAP, dynamic programming languages such as PYTHON, RUBY, andGROOVY, or other programming languages. The program code may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a LAN or WAN, or theconnection may be made to an external computer (for example, through theInternet using an Internet Service Provider) or in a cloud computingenvironment or offered as a service such as a Software as a Service(SaaS).

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatuses(systems) and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, may be implemented bycomputer program instructions. These computer program instructions maybe provided to a processor of a general purpose computer, specialpurpose computer, or other programmable data processing apparatus toproduce a machine, such that the instructions, which execute via theprocessor of the computer or other programmable instruction executionapparatus, create a mechanism for implementing the functions/actsspecified in the flowchart and/or block diagram block or blocks.Alternatively, a symmetric multiprocessor (SMP) system or otherconfiguration including a plurality of processors may be used.

These computer program instructions may also be stored in acomputer-readable medium that when executed may direct a computer, otherprogrammable data processing apparatus, or other devices to function ina particular manner, such that the instructions when stored in thecomputer-readable medium produce an article of manufacture includinginstructions which when executed, cause a computer to implement thefunction/act specified in the flowchart and/or block diagram block orblocks. The computer program instructions may also be loaded onto acomputer, other programmable instruction execution apparatus, or otherdevices to cause a series of operational steps to be performed on thecomputer, other programmable apparatuses or other devices to produce acomputer implemented process such that the instructions that execute onthe computer or other programmable apparatus provide processes forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks.

While the exemplary embodiments illustrated herein show the variouscomponents of the system collocated, certain components of the systemmay be located remotely, at distant portions of a distributed network,such as a LAN and/or the Internet, or within a dedicated system. Thus,it should be appreciated, that the components of the system may becombined into one or more devices, such as a switch, server, and/oradjunct, or collocated on a particular node of a distributed network,such as an analog and/or digital telecommunications network, apacket-switch network, or a circuit-switched network. It will beappreciated from the preceding description, and for reasons ofcomputational efficiency, that the components of the system may bearranged at any location within a distributed network of componentswithout affecting the operation of the system. For example, the variouscomponents may be located in a switch such as a PBX and media server,gateway, in one or more communication devices, at one or more users'premises, or some combination thereof. Similarly, one or more functionalportions of the system could be distributed between a telecommunicationdevice(s) and an associated computing device.

Furthermore, it should be appreciated that the various links connectingthe elements may be wired or wireless links, or any combination thereof,or any other known or later developed element(s) that is capable ofsupplying and/or communicating data to and from the connected elements.These wired or wireless links may also be secure links and may becapable of communicating encrypted information. Transmission media usedas links, for example, may be any suitable carrier for electricalsignals, including coaxial cables, copper wire, and fiber optics, andmay take the form of acoustic or light waves, such as those generatedduring radio-wave and infra-red data communications.

A number of variations and modifications of the disclosure may be used.It would be possible to provide for some features of the disclosurewithout providing others. For example, in one alternative embodiment,the systems and methods of this disclosure may be implemented inconjunction with a special purpose computer, a programmed microprocessoror microcontroller and peripheral integrated circuit element(s), an ASICor other integrated circuit, a digital signal processor, a hard-wiredelectronic or logic circuit such as discrete element circuit, aprogrammable logic device or gate array such as PLD, PLA, FPGA, PAL,special purpose computer, any comparable means, or the like. In general,any device(s) or means capable of implementing the methodologyillustrated herein may be used to implement the various aspects of thisdisclosure. Exemplary hardware that may be used for the presentdisclosure includes computers, handheld devices, telephones (e.g.,cellular, Internet enabled, digital, analog, hybrids, and others), andother hardware known in the art. Some of these devices includeprocessors (e.g., a single or multiple microprocessors), memory,nonvolatile storage, input devices, and output devices. Furthermore,alternative software implementations including, but not limited to,distributed processing or component/object distributed processing,parallel processing, or virtual machine processing may also beconstructed to implement the methods described herein.

Although the present disclosure describes components and functionsimplemented in the embodiments with reference to particular standardsand protocols, the disclosure is not limited to such standards andprotocols. Other similar standards and protocols not mentioned hereinare in existence and are considered to be included in the presentdisclosure. Moreover, the standards and protocols mentioned herein andother similar standards and protocols not mentioned herein areperiodically superseded by faster or more effective equivalents havingessentially the same functions. Such replacement standards and protocolshaving the same functions are considered equivalents included in thepresent disclosure.

While the foregoing is directed to embodiments of the presentdisclosure, other and further embodiments of the present disclosure maybe devised without departing from the basic scope thereof. It isunderstood that various embodiments described herein may be utilized incombination with any other embodiment described, without departing fromthe scope contained herein. Further, the foregoing description is notintended to be exhaustive or to limit the present disclosure to theprecise form disclosed. Modifications and variations are possible inlight of the above teachings or may be acquired from practice of thepresent disclosure.

What is claimed is:
 1. A system comprising: a memory storing executableinstructions; and a processor in communication with the memory, whereinthe processor when executing the executable instructions: receives, froma device, a message comprising a first hash of device data that isindicative of a current timestamp and at least one of a current devicelocation or a current device usage; generates a second hash of storeddata, the stored data being based on at least one of an expectedlocation or an expected usage associated with the device; compares thefirst and second hashes; when the first and second hashes do not match,registers a mismatch; determines a total number of mismatches for thedevice within a time period by: retrieving, for at least one previousmessage received from the device, a previous timestamp; and calculating,based on the current timestamp and the previous timestamp, the totalnumber of mismatches for the device within the time period; and when thetotal number of mismatches for the device is greater than apredetermined number, generates an alert.
 2. The system of claim 1,wherein the processor, when executing the executable instructions:applies one or more filter rules that determine when the alert isgenerated.
 3. The system of claim 1, wherein the first hash of devicedata further comprises a unique identifier of the device, and theprocessor, when executing the executable instructions: based on theunique identifier, determines an entity with which the device isassociated.
 4. The system of claim 1, wherein the processor, whenexecuting the executable instructions: when the total number ofmismatches for the device is less than the predetermined number, storesthe message and an indication of the mismatch in a record associatedwith the device.
 5. The system of claim 4, wherein the processor, whenexecuting the executable instructions: receives, from the device, asubsequent message comprising a third hash of device data that isindicative of at least one of a current device location or a currentdevice usage; generates a fourth hash of stored data, the stored databeing based on at least one of the expected location or the expectedusage associated with the device; compares the third and fourth hashes;when the third and fourth hashes do not match, registers a subsequentmismatch; based on the subsequent mismatch, determines the total numberof mismatches for the device within the time period; and when the totalnumber of mismatches for the device is greater than the predeterminednumber, generates an alert.
 6. A method comprising: receiving, by aprocessor, from a device, a message comprising a first hash of devicedata that is indicative of a current timestamp and at least one of acurrent device location or a current device usage; generating, by theprocessor, a second hash of stored data, the stored data being based onat least one of an expected location or an expected usage associatedwith the device; comparing, by the processor, the first and secondhashes; when the first and second hashes do not match, registering, bythe processor, a mismatch; determining, by the processor, a total numberof mismatches for the device within a time period by: retrieving, for atleast one previous message received from the device, a previoustimestamp; and calculating, based on the current timestamp and theprevious timestamp, the total number of mismatches for the device withinthe time period; and when the total number of mismatches for the deviceis greater than a predetermined number, generating, by the processor, analert.
 7. The method of claim 6, further comprising: applying, by theprocessor, one or more filter rules that determine when the alert isgenerated.
 8. The method of claim 6, wherein the first hash of devicedata further comprises a unique identifier of the device, the methodfurther comprising: based on the unique identifier, determining, by theprocessor, an entity with which the device is associated.
 9. The methodof claim 6, further comprising: when the total number of mismatches forthe device is less than the predetermined number, storing, by theprocessor, the message and an indication of the mismatch in a recordassociated with the device.
 10. The method of claim 9, furthercomprising: receiving, by the processor, from the device, a subsequentmessage comprising a third hash of device data that is indicative of atleast one of a current device location or a current device usage;generating, by the processor, a fourth hash of stored data, the storeddata being based on at least one of the expected location or theexpected usage associated with the device; comparing, by the processor,the third and fourth hashes; when the third and fourth hashes do notmatch, registering, by the processor, a subsequent mismatch; based onthe subsequent mismatch, determining, by the processor, the total numberof mismatches for the device within the time period; and when the totalnumber of mismatches for the device is greater than the predeterminednumber, generating, by the processor, an alert.